Firewalls play a significant role in securing today’s datacenters, but the technology must evolve if it’s to remain relevant, Fortinet VP of product Nirav Shah told The Register.
Enterprise datacenters are changing. Workloads don’t just run on-prem – increasingly they’re being deployed across multiple datacenters and clouds, he said. In line with these trends, the amount of traffic not only moving in and out of the datacenter — north-south traffic — but across the datacenter — east-west traffic — is increasing exponentially, driving operators toward higher-performance interfaces.
Dell’Oro Group expects shipments of 200Gbit/sec to 400Gbit/sec switches to more than double this year alone – driven in large part by AI and other bandwidth-hungry applications.
But while high-throughput, low-latency switching has been around for years, the approach compromises on security and may not be viable for highly regulated markets like healthcare or the financial industry, Shah claimed. The problem, he argued, is that most firewalls aren’t well equipped to inspect traffic at these speeds. And those that can do it are either prohibitively expensive or too large and complex to implement and maintain.
Fortinet is no stranger to this challenge. The company’s NP7 ASIC-based FortiGate 4200F and later 4400F firewalls, introduced in late 2020, brought 100Gbit/sec interfaces and north of 1.15Tbit/sec of firewall capacity, in the case of the latter, to a 4U chassis. These firewalls specifically targeted high-performance datacenter and hyperscale customers.
This week, the security vendor upped the ante with the FortiGate 3700F, which packs multiple 400Gbit/sec ports into an even smaller 2U chassis. Though the firewall does lose out on raw capacity – coming in at 600Gbit/sec.
The 3700F isn’t for everyone, yet, Shah admitted. It’s aimed at customers dealing with large flows of sensitive data within and between private and cloud datacenters. Or as he put it, clients “building hyperscale datacenters for specific applications that need to [meet] compliance and performance requirements.”
Healthcare is one market in which Shah sees strong demand for this class of high-performance firewalls, because they’re often saddled with large quantities of highly sensitive data that may need to be moved between datacenters or the cloud to perform machine-learning tasks.
Meanwhile, financial institutions – particularly those dealing in high-frequency trading – need a security appliance that can keep up with millions of latency-sensitive connections every second, Shah said. “Ultra-low latency is equally important,” he said.
The latest firewall supports latencies down to two microseconds which, according to Shah, makes firewalls like the 3700F ideal for these environments.
While demand for these kinds of firewalls is limited to a few specific industries for now, Shah said he expects the majority of datacenters to follow a similar path eventually.
Zero-trust in the datacenter
Beyond supporting larger data flows, Shah also sees firewalls as a means to extend zero-trust principles deeper into the datacenter.
“This is where we think network firewalls in the datacenter play a critical role,” he said. “We think that’s going to play an important role for the universal enforcement of zero-trust network access.”
While zero-trust network access is largely seen as a replacement for VPNs for remote access, Shah believes the technology can be applied to secure datacenter-to-datacenter traffic as well. Meanwhile microsegmentation – a technology often used in zero-trust architectures to ensure only those workloads that are supposed to talk to each other can – provides an avenue for securing application-to-application traffic within the datacenter.
“It’s high time to [start] using microsegmentation in datacenters, and the firewall remains the central part of that,” he said.
Taken as a whole, Shah argues that by doing all of this in the firewall, customers stand to eliminate the complexity of managing multiple platforms to achieve a zero-trust architecture.
Distributed firewalls gain momentum
Fortinet’s firewall-centric approach to datacenter security could soon be challenged by a new bread of security appliances.
Data processing units (DPUs) from companies like Intel, Nvidia, and Marvell provide customers with an alternative that, with the right software, puts a small firewall in every server. Last summer, rival firewall vendor Palo Alto Networks demoed this capability by deploying its virtualized firewall platform on Nvidia’s BlueField-2 DPUs.
The DPU functions similarly to a co-processor, offloading and accelerating Palo Alto Networks’ packet filtering and forwarding capabilities from the CPU. And, like Fortinet’s hyperscale firewalls, Nvidia claims this approach enables data flows previously thought impossible or impractical.
Asked whether Fortinet, which designs its own networking and security ASICs, would pursue a similar disaggregated approach to firewalls, Shah declined to comment – but didn’t rule out the possibility. Such a product – a FortiDPU perhaps – wouldn’t be all that surprising, according to ZK Research’s Zeus Kerravala.
“With BlueField, Palo Alto Networks has to port the software to it. They’ve gotta make sure that it’s optimized to run on BlueField,” he told The Register. “What Fortinet has with their security processing unit is silicon that’s optimized for what they do. It gives them a big price/performance advantage.”
The Fortinet Security Fabric offers another advantage by providing operators a means to manage and extend policy to each appliance centrally, Kerravala added. “Now that we’ve moved to this hybrid world where everything is distributed, that’s really the problem the fabric was created to solve.” ®